<!DOCTYPE html>
<html lang="zh-CN,zh-Hans,default">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.4.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"51liveup.cn","root":"/","scheme":"Gemini","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":false,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}}};
  </script>

  <meta name="description" content="本篇内容最初发表于我的 另一个博客">
<meta property="og:type" content="article">
<meta property="og:title" content="CentOS 6.6 配置防火墙">
<meta property="og:url" content="http://51liveup.cn/2016/01/03/CentOS-6.6-%E9%85%8D%E7%BD%AE%E9%98%B2%E7%81%AB%E5%A2%99/index.html">
<meta property="og:site_name" content="快乐地生活">
<meta property="og:description" content="本篇内容最初发表于我的 另一个博客">
<meta property="og:locale" content="zh_CN">
<meta property="article:published_time" content="2016-01-03T05:19:11.000Z">
<meta property="article:modified_time" content="2021-09-04T02:41:42.340Z">
<meta property="article:author" content="大道自然">
<meta property="article:tag" content="CentOS">
<meta name="twitter:card" content="summary">

<link rel="canonical" href="http://51liveup.cn/2016/01/03/CentOS-6.6-%E9%85%8D%E7%BD%AE%E9%98%B2%E7%81%AB%E5%A2%99/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>CentOS 6.6 配置防火墙 | 快乐地生活</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">快乐地生活</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-about">

    <a href="/about/" rel="section"><i class="fa fa-user fa-fw"></i>关于</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>

  </li>
        <li class="menu-item menu-item-commonweal">

    <a href="/404/" rel="section"><i class="fa fa-heartbeat fa-fw"></i>公益 404</a>

  </li>
  </ul>
</nav>




</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="http://51liveup.cn/2016/01/03/CentOS-6.6-%E9%85%8D%E7%BD%AE%E9%98%B2%E7%81%AB%E5%A2%99/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="大道自然">
      <meta itemprop="description" content="">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="快乐地生活">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          CentOS 6.6 配置防火墙
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>

              <time title="创建时间：2016-01-03 13:19:11" itemprop="dateCreated datePublished" datetime="2016-01-03T13:19:11+08:00">2016-01-03</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">更新于</span>
                <time title="修改时间：2021-09-04 10:41:42" itemprop="dateModified" datetime="2021-09-04T10:41:42+08:00">2021-09-04</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E6%8A%80%E6%9C%AF/" itemprop="url" rel="index"><span itemprop="name">技术</span></a>
                </span>
                  ，
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E6%8A%80%E6%9C%AF/linux/" itemprop="url" rel="index"><span itemprop="name">linux</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <p>本篇内容最初发表于我的 <a target="_blank" rel="noopener" href="http://my.oschina.net/thinker4self/blog/510566">另一个博客</a></p>
<span id="more"></span>

<h2 id="1、可以在shell窗口执行下面命令"><a href="#1、可以在shell窗口执行下面命令" class="headerlink" title="1、可以在shell窗口执行下面命令"></a>1、可以在shell窗口执行下面命令</h2><pre><code>#这个一定要先做，不然清空后可能会悲剧
iptables -P INPUT ACCEPT
 #清空默认所有规则 
iptales -F

#清空自定义的所有规则 
iptables -X

#计数器置0
 iptables -Z

 #如果没有此规则，你将不能通过127.0.0.1访问本地服务，例如ping 127.0.0.1 
 iptables -A INPUT -i lo -j ACCEPT    

#开启ssh端口22 一定要加，要不然不能从远程访问了
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

#保存配置
service iptables save

#重启防火墙服务,重启后上面的配置就生效了
service iptables restart
</code></pre>
<p>现在可以查看状态</p>
<pre><code>iptables -L
 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http 
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
</code></pre>
<h2 id="2、也可以通过编辑-etc-sysconfig-iptables-文件达到上面相同的效果"><a href="#2、也可以通过编辑-etc-sysconfig-iptables-文件达到上面相同的效果" class="headerlink" title="2、也可以通过编辑 /etc/sysconfig/iptables 文件达到上面相同的效果"></a>2、也可以通过编辑 /etc/sysconfig/iptables 文件达到上面相同的效果</h2><pre><code>cat /etc/sysconfig/iptables
 
# Generated by iptables-save v1.4.7 on Thu Sep 24 02:58:30 2015
*filter
:INPUT ACCEPT [203:40425]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [108209:100980717]
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
#-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
 
##下面两行如果不加，除了上述两个规则之外的端口也是可以访问的     
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
 
COMMIT
</code></pre>
<p>保存文件后重启服务</p>
<pre><code>service iptables restart
</code></pre>
<h2 id="3、网上找的其他配置说明："><a href="#3、网上找的其他配置说明：" class="headerlink" title="3、网上找的其他配置说明："></a>3、网上找的其他配置说明：</h2><pre><code>#如果没有此规则，你将不能通过127.0.0.1访问本地服务，例如ping 127.0.0.1 iptables -A INPUT -i lo -j ACCEPT    
 
#开启ssh端口22 
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 
#开启FTP端口21 
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
 
#开启web服务端口80
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
 
#tomcat 
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
 
#mysql 
iptables -A INPUT -p tcp --dport xxxx -j ACCEPT
 
#允许icmp包通过,也就是允许ping 
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
 
#允许所有对外请求的返回包 
#本机对外请求相当于OUTPUT,对于返回数据包必须接收啊，这相当于INPUT了 
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
 
#如果要添加内网ip信任（接受其所有TCP请求） 
iptables -A INPUT -p tcp -s 45.96.174.68 -j ACCEPT
 
#每秒中最多允许5个新连接
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s --limit-burst 5 -j ACCEPT
 
#每秒中最多允许5个新连接
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
 
#Ping洪水攻击
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
 
#封单个IP的命令是：
iptables -I INPUT -s 222.34.135.106 -j DROP
 
#封IP段的命令是：
iptables -I INPUT -s 211.1.0.0/16 -j DROP
iptables -I INPUT -s 211.2.0.0/16 -j DROP
iptables -I INPUT -s 211.3.0.0/16 -j DROP
 
#封整个段的命令是：
iptables -I INPUT -s 211.0.0.0/8 -j DROP
 
#封几个段的命令是：
iptables -I INPUT -s 61.37.80.0/24 -j DROP
iptables -I INPUT -s 61.37.81.0/24 -j DROP
 
#过滤所有非以上规则的请求 
iptables -P INPUT DROP
</code></pre>

    </div>

    
    
    

      <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/CentOS/" rel="tag"># CentOS</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2016/01/02/Markdown-%E6%96%B0%E6%89%8B%E6%8C%87%E5%8D%97/" rel="prev" title="Markdown 新手指南">
      <i class="fa fa-chevron-left"></i> Markdown 新手指南
    </a></div>
      <div class="post-nav-item">
    <a href="/2016/01/03/2016%E5%B9%B4%E5%85%83%E6%97%A6/" rel="next" title="2016年元旦">
      2016年元旦 <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#1%E3%80%81%E5%8F%AF%E4%BB%A5%E5%9C%A8shell%E7%AA%97%E5%8F%A3%E6%89%A7%E8%A1%8C%E4%B8%8B%E9%9D%A2%E5%91%BD%E4%BB%A4"><span class="nav-number">1.</span> <span class="nav-text">1、可以在shell窗口执行下面命令</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#2%E3%80%81%E4%B9%9F%E5%8F%AF%E4%BB%A5%E9%80%9A%E8%BF%87%E7%BC%96%E8%BE%91-etc-sysconfig-iptables-%E6%96%87%E4%BB%B6%E8%BE%BE%E5%88%B0%E4%B8%8A%E9%9D%A2%E7%9B%B8%E5%90%8C%E7%9A%84%E6%95%88%E6%9E%9C"><span class="nav-number">2.</span> <span class="nav-text">2、也可以通过编辑 &#x2F;etc&#x2F;sysconfig&#x2F;iptables 文件达到上面相同的效果</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#3%E3%80%81%E7%BD%91%E4%B8%8A%E6%89%BE%E7%9A%84%E5%85%B6%E4%BB%96%E9%85%8D%E7%BD%AE%E8%AF%B4%E6%98%8E%EF%BC%9A"><span class="nav-number">3.</span> <span class="nav-text">3、网上找的其他配置说明：</span></a></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">大道自然</p>
  <div class="site-description" itemprop="description"></div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">30</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">6</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">19</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2021</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">大道自然</span>
</div>
  <div class="powered-by">由 <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Gemini</a> 强力驱动
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/pisces.js"></script>


<script src="/js/next-boot.js"></script>




  















  

  

</body>
</html>
